On Wed, Feb 6, 2019 at 5:18 AM Neil Bothwick <n...@digimed.co.uk> wrote: > > On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote: > > > My own solution is actually very simple. I have a "secret algorithm" > > that incorporates several secrets with a predictable way to generate a > > site-specific secret. The end result is a 100% predictable way to > > generate unique passwords for every site that are cryptographically > > secure from each other (you cannot derive > > one from the other) which can be generated by any device using the > > appropriate tools. > > The was a tool in portage this did this. I tried it but it did not work > in the real world because you couldn't set a rule for generated passwords > that matched the requirements of all sites, for example some require a > non-alphanumeric character while other sites only allow alphanumerics. > > I can remember what the tools was called, although I'm pretty sure it > was written in Python. I'd be interested to know how you get around the > conflicting restrictions as this seems a good way to do things. >
Well the original idea is to reduce dependency on specific tools, such that the algorithm is the secret, and the passwords are just byproducts of the secret. You will still need tools to do any hashing, but those are generic tools you can acquire anywhere. So for example, the "password123" equivalent secret algorithm might be: 1) global pepper: "password" 3) site-specific pepper: pepper plus number = vowels in domain name 2) site-specific ID: pepper dot domain name dot username 4) hashing algorithm: md5sum + base64, take first 8 Example application: madum...@gmail.com 1) site-specific pepper: pepper3 (3 vowels in domain name: google) 2) site-specific ID: pepper3.google.madumlao 3) site-specific hash: (2) -> md5sum -> base64 -> first8 -> NGI3MTQz 4) combined with global pepper: password.NGI3MTQz 5) hashed with global pepper: (4) -> md5sum -> base64 -> first8 -> MWJjZjg2 password: MWJjZjg2 Example application: madum...@yahoo.com 1) site-specific pepper: pepper3 (3 vowels in domain name: yahoo) 2) site-specific ID: pepper3.yahoo.madumlao 3) site-specific hash: (2) -> md5sum -> base64 -> first8 -> ZDQzZGM5 4) combined with global pepper: password.ZDQzZGM5 5) hashed with global pepper: (4) -> md5sum -> base64 -> first8 -> ZjUwMTI2 password: ZjUwMTI2 The procedure takes up a little more headspace than 1 password, but definitely less headspace than a dozen cryptographically secure passwords. You can change the hashing algorithm, peppering rule, ID rule, number of characters, etc to your tastes. You can add iteration rules for the nth password change anywhere in the procedure, and add constraint rules for sites that have certain password limitations (the caveat is that you have to remember which sites have password changes and constraints). For me really all that matters is that the building blocks are widely available and the end result incorporates data loss that makes it impossible to recover the original secrets. "Obviously" do not use this algorithm as-is. The algorithm, not the password, is the secret, so using this algorithm as is is the equivalent of using any example of a crypto secure password (correct horse battery stapler) as a password. -- This email is: [ ] actionable [x] fyi [ ] social Response needed: [ ] yes [x] up to you [ ] no Time-sensitive: [ ] immediate [ ] soon [x] none
